Summary of Findings
- A Chinese APT group is sending malicious documents to employees of a Southeast Asian government agency in an ongoing surveillance operation.
- The operators of the Necro Python bot have added new functionality to its toolset, including remote command execution exploits.
- TeamTnT has been evolving its cryptojacking operations to enumerate AWS cloud environments for lateral movement and post-exploitation activities.
- Assertions by Prometheus, a new ransomware gang, that it is part of REVil may be an effort to exploit the other gang’s notoriety to persuade victims to pay.
- As indicated by its name, the APT group BackdoorDiplomacy targets foreign affairs ministries by exploiting internet-exposed applications to gather information.
Chinese Threat Group Targeting SE Asian Government with Unknown Backdoor
A Chinese threat group is leveraging a previously unknown backdoor in its ongoing surveillance operation against a Southeast Asian government entity. The operation has been ongoing for at least three years. The group targets government employees with malicious word documents leveraging the Equation editor exploit. The group uses the tool RoyalRoad to create the weaponized Rich Text Files. The weaponized word document downloads the loader, which installs the backdoor on the system.
Necro Python Bot Updated with New Functionality
An unidentified actor has updated the Necro Python bot with new functionality to expand the types of systems it can compromise. While the exact timing of the new update is unknown, the bot has been increasing its activity since January 2021. It is now able to leverage vulnerabilities in VMWare vSphere, SCO OpenServer, and Vesta Control Panel. New control and communication functionality was also added. The Necro Python bot targets small and home office routers.
TeamTnT Targets Cloud Platforms
The cybercriminal group TeamTnT continues to evolve its toolsets for its campaigns, which now include using compromised Amazon Web Services (AWS) credentials to enumerate AWS cloud environments. The toolsets are able to identify:
- Identity and Access Management (IAM)
- Elastic Compute Cloud (EC2)
- Simple Storage Service (S3) buckets
- CloudTrail configurations
- CloudFormation operations
TeamTnT now also targets Google cloud applications for credential theft. The group has added the open-source container and cloud penetration tool Peirates for internal reconnaissance and lateral movement.
Prometheus Group Claims to Be Part of REvil
A new ransomware group named Prometheus, which uses malware and techniques similar to the Thanos group, claims to be part of REvil, a better-known ransomware gang. However, Unit42 researchers see no evidence to support this claim, which they speculate could be an attempt to leverage REvil’s reputation to persuade victims to pay up, or an attempt to divert attention away from Thanos. Prometheus leverages double-extortion tactics and maintains a leak site to pressure the victim into paying. Requested payments range from $6,000 to $100,000 in Monero, with the price doubling if the victim doesn’t pay within the established timeframe, usually a week. Prometheus actively targets multiple industries globally.
BackdoorDiplomacy Uses Turian Backdoor on Government Ministries
The APT group BackdoorDiplomacy has been targeting diplomatic organizations, and less frequently, telecommunications companies, in Africa and the Middle East with the Turian backdoor since 2017. Recent analysis highlighted BackdoorDiplomacy’s similarities with Asian threat groups. Turian’s network encryption protocol is similar to that of Whitebird, a backdoor operated by the Asia-based group Calypso. BackdoorDiplomacy uses tactics and techniques s similar to those of Asia-based threat group APT15. The group exploits vulnerable internet-exposed applications to drop and execute a webshell. They deploy open-source software for reconnaissance and information gathering. The backdoor can scan for removable media and copy its contents.